Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

9/20/2012
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

RSA Report Offers A Blueprint For Next-Generation SIEM

New report co-authored by RSA, CSC, Terremark, and Verizon calls for a "big data"-driven early warning system

Traditional security information and event management (SIEM systems) just don't cut it anymore with the types of persistent attacks many enterprises face every day.

That's not to say all SIEM systems are trapped in time as gatherers of forensics: some SIEM and log management systems are now beginning to detect attacks in real-time, security experts say. SIEM is gradually evolving into a real-time analysis and alarm technology, some experts say.

This next-generation SIEM is the subject of a new report sponsored by RSA and co-written by CSC, RSA, Terremark, and Verizon, called "Transforming Traditional Security Strategies into an Early Warning System for Advanced Threats." And one of the key ingredients for this new SIEM model is so-called "big data" analytics, where threat detection capabilities come from reams of information from various sources analyzing behavioral and other trends rather than old-school signature-based technology.

SIEM needs to add "pervasive" visibility via network packet-capture and session reconstruction, the reports says, and analytics that drills down and look at risk specific to an organization, and compares behaviors; scalability; and a centralized repository that provides security data.

Eddie Schwartz, vice president and CISO, RSA, the security division of EMC, says it's all about taking the best of SIEM – such as correlation and handling large amounts of data – and combining that with features such as contextual analysis, and external threat intelligence, which NetWitness offers, for example. "This mirrors the move we have been making from technology at RSA ... that addresses the ongoing benefits of SIEM, with big data on the back-end, and unifying security management on the front-end with a console that brings together capabilities of investigating, correlation, and malware analysis," he says.

The report calls the next-generation SIEM's visibility to be able to fully reconstruct activity in the network or systems to better ID malware, track the bad guy's movements once he's inside, and the ability to confirm that malicious activity is under way.

Also, SIEM systems should be able to gather and use data from various sources to detect advanced attacks. "For example, security analytics systems should search for behavior patterns and risk factors, not just static rules and known signatures. Security analytics systems should also consider the relative value of enterprise assets at risk, flagging events associated with high-value assets," the report says.

So these tools need to be able to scale well. "Security analytics platforms must include features such as a distributed n-tier storage architecture and an analytics engine that normalizes and processes large, disparate data sets at very high speed. Data storage and analytics must scale together linearly," the report says.

They also should be able to automatically integrate threat intelligence from various sources in a centralized way, according to the report.

"Breaches aren't really smash-and-grab anymore. The vast majority of breach and compromise cases last year occurred over a period of months. Our experience shows it's more valuable to get a complete view of what happened over the long haul and take mitigation steps than to get a near real-time

analysis of events," says Jonathan Nguyen-Duy, director of global security services at Verizon Business, who co-authored the report.

The full SIEM security brief is available here for download (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JCharles
50%
50%
JCharles,
User Rank: Apprentice
1/25/2013 | 3:39:35 PM
re: RSA Report Offers A Blueprint For Next-Generation SIEM
So the futur of the SIEM is... the Big Data SIEM. Well such solutions are already out there like Secnology. But hire a Security Expert because the magic box or software aren't.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.